Disclaimer

The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

Confidentiality

British Home Secretary Theresa May’s latest Counter-Terrorism and Security Bill seeks to require communications service providers to retain and make available to government details of who is using a particular IP address. But industry commentators are unhappy with the proposals and say that they will not work in practice.

The Bill covers a range of controversial measures, with only a small part (s.17) addressing communications data. The explanatory notes to the draft Bill tell us that the purpose of these provisions is to

‘enhance law enforcement agencies’ ability to investigate terrorism and serious crime by extending the retention of relevant communications data to include data that will help to identify who is responsible for sending a communication on the internet or accessing an internet communications service.’

The Bill would add a new category of ‘relevant internet data’ to the DRIP Act's category of 'relevant communications data', to include data which could be used to identify the IP address used by the sender or recipient of a message. Like the DRIP Act, these provisions would only last until the end of 2016.

The Bill would also give the Home Secretary the right to make regulations to give effect to its objectives.

Industry commentators say that the Bill simply will not work from a technical perspective. Relying on IP addresses does not make sense, as they can be spoofed, reassigned or shared among multiple users. The Internet Services Providers' Association, ISPA, has expressed its dissatisfaction, complaining of a ‘distinct lack of engagement with industry’ on this issue.

The central EU drugs regulator, the European Medicines Agency, has taken a major step forward in its policy to publish clinical data. In a move that anticipates the introduction of the transparency provisions in the new Clinical Trials Regulation (discussed here), the EMA will publish selected data in support of drug approval applications that are filed from January 2015 onwards.

Transparency is a central plank of the new clinical trials regime. But that will not be adopted until May 2016 or later to allow for development of the new EU Portal. Meanwhile, the EMA has been consulting widely to implement an earlier move toward transparency with the twin objectives of increasing public trust in the system and enabling independent analysis of the data. Its new policy brings in the first phase of publication.

The new rules will apply to new applications for central marketing approval made from the start of next year. Once a decision on whether to approve the medicine for marketing has been reached, the clinical reports will be made public. A later date is relevant for applications for line extension or extension of indications - those filed from July 2015 will fall within the new regime.

Announcing the move, Guido Rasi, EMA Executive Director said “The adoption of this policy sets a new standard for transparency in public health and pharmaceutical research and development. This unprecedented level of access to clinical reports will benefit patients, healthcare professionals, academia and industry.”

Reaching this point has not been easy. An analysis of the public consultation outcomes shows that key industry concerns were the disclosure of commercially confidential material and protection from unfair commercial use, while researchers objected to proposed limits on accessing the data.

The EMA has accepted that allowing competitors to piggyback on the research efforts of drug companies would be unfair, and the policy deals with redaction to remove confidential material. The applicant will have to identify the material it considers to be confidential and explain why (for example, revealing details of assays not known to competitors, or disclosing details of regulatory strategies). But the final decision on redaction will be carried out by EMA staff, and the policy kicks off that debate by saying that "generally the information contained in clinical reports should not be considered [commercially confidential information]".

In addressing the concerns of researchers that access to the date would be too limited, the EMA has come up with a two levels user system, with different terms of use. The first level of use involves only reading and searching the data – for this only a simple registration process is required. The second level of access allowing downloading, printing etc.. These second level users will have to give identification details and agree to tighter terms of use.

The EMA is currently consulting on making available individual patient data. Given EU sensitivities around the personal data of individuals, this promises to be an even trickier task.

We reported in April on the decison of the European court that the 2006 Data Retention Directive was invalid. Since then, little has been said about what the EU plans to do in order to fill the gap, and there have been reports of telecoms and internet companies planning to start deleting communications data. The problem has been raised at EU council level, but finding agreement on a way forward among the 28 EU states will not provide a quick solution.

Now the UK government has said that it will introduce emergency legislation to fill the gap. It hopes that its Data Retention and Investigation Powers Bill, which has cross-party support, will become law in a matter of days.

Getting the legislation right will be tricky. It will have to do enough to meet the government’s security needs, while taking account of the European court’s reasons for striking down the directive. These were wide-ranging.

The court said that to justify such an extensive interference with individuals’ rights would require rules that are specific and adapted to the quantity of data retained, the sensitive nature of the data and the risk of unlawful access. There would need to be a high level of protection and security, and irreversible destruction of the data at the end of the retention period. And retention should be confined within the boundaries of the EU.

Any discrepancies between the UK’s planned approach and the European court’s strict ruling are likely to be challenged by privacy campaigners.

The new law, if passed as planned, will only last until the end of 2016. It is intended to plug a gap while a wider public debate takes place. It will be the job of the next government to introduce a replacement at that point.

Online auction site Ebay is asking customers to change their passwords after detecting a massive security breach with hackers obtaining the personal data of millions. In eBay’s case, it has extensive activities across Europe and a European base in Luxembourg that will be subject to the powers of data protection authorities at EU and national level.

The European courts have shown a willingness to find that an organisation is acting as a data controller within EU boundaries. In the recent ‘right to forget’ case against Google, Google’s Spanish subsidiary was found to be a data controller because its local advertising and administrative activities were carried out ‘in the context of the activities of an establishment of the controller’ (as required by the Data Protection Directive) in Spain. The actual processing of the data took place elsewhere.

In other situations, however, data is held and controlled entirely outside the EU. EU data protection laws are among the strictest, but data held by entities that have no European presence can avoid being caught.

Reforms are in train to control data even more tightly with a proposed new EU-wide Regulation, and a supplementary Directive to deal with national investigation and enforcement.

The current territorial requirements are essentially for an establishment in the EU or for equipment within the EU. But under the proposed new system, processing by entities outside the EU will be covered if it relates to offering goods or services to EU individuals, or monitors their behaviour. Hefty fines could be imposed for breach.

The stage reached by the proposals now requires negotiations to take place between the European parliament and the council of national ministers. In its March Q&As the European parliament said that the target date for making these proposal law was late 2014. Although in the aftermath of the recent European parliamentary elections we have to wonder how swift that progress will be.

Last week the European Court of Justice declared the 2006 Data Retention Directive invalid. As a result, communications providers may be able to look forward to an easing of the requirements on them to collect and store individual communications data.

In a pair of joined cases brought by an Irish campaigning organisation (Digital Rights Ireland) and by a large group of Austrian applicants the court considered whether the Data Retention Directive was compatible with two fundamental rights: respect for private life and protection of personal data.

by requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.

Less than a year ago the same court fined Sweden 3 million Euro for failure to implement on time. Then the court was not interested in Sweden’s internal debates about the balance between the protection of privacy and the prevention of crime. It said

given that the directive is intended to ensure that electronic communications data are available for the purpose of the investigation, detection and prosecution of serious crime, any delay in its transposition is liable to have consequences for public and private interests.

In 2006 concerns about terrorism and organised crime were high on the agenda, following the Madrid train bombings in 2004 and the London tube and bus bombings of 2005. The aim of the directive was to enable the collection of data by national governments in a uniform way across Europe, so that there were equal levels of protection for individuals, as well as a level playing field for businesses providing communications services. But it has been much criticised, and the relevant national laws have been challenged in several countries. With the Snowden revelations concerns about privacy for private communications and 'government snooping' now have greater political weight.

The Irish and Austrian courts will have to consider how to respond to the ruling. But because the directive itself is void EU countries which have put in place their own laws to implement it will have to consider what action to take.

The UK implemented the directive with a set of regulations covering mobile telephony, internet access, internet email and internet telephony. These regulations apply to public communications providers who generate or process communications data in the UK. Specified data to trace and identify the source of a communication, its destination, date, time, duration and type, has to be retained for 12 months and can be accessed in by officials such as police officers in accordance with the Regulation of Investigatory Powers Act 2000.

It is not clear what action the UK will now take, but the Government's heavily criticised draft Communications Data Bill, that would extend the range of communications data being collected, seems even less likely to become law.

A recent decision in the English High Court about internet cookie use has been making waves.

The judge decided that a claim form could be served out of the jurisdiction (on Google in California). This sounds like a dull procedural application, but it is exciting interest because of the comments of the judge about how people can object to the use of what might seem to be fairly trivial information about them.

A group of individuals complained that they had suffered distress as a result of how Google had used cookies on Apple's Safari browser.

Traditionally, they might just have argued breach of confidence. But the procedural rules involved required there to be a different kind of legal wrong - a tort.

Since the Naomi Campbell litigation in 2004 misuse of private information has been developing as a new tort. And in the subsequent Michael Douglas/Hello! litigation the Court of Appeal explained that someone’s privacy can be invaded by further publication of information or photographs that had already been disclosed to the public.

So what kind of private information might be protected? Naomi Campbell and Michael Douglas had objected to photographs and stories in the papers. Can data collected using cookies really be private information? The individuals bringing the case against Google said that private information about them could be gleaned from targeted advertising that appeared on their screens as a result of the cookies. Other people might see the screen and draw their own conclusions about that person’s characteristics or feelings. The judge concluded that this could be enough to be private information, and disclosing it could cause distress.

The individuals were also allowed to rely on the Data Protection Act 1998. Material appearing on their screens could be ‘personal data’ deserving protection. The judge was influenced by a European Working Party report on the Data Protection Directive, saying that search histories were personal data if the relevant individual could be identified.

We continue to await press regulation following
Lord Justice Leveson’s report in November 2012, whilst the Privy Council reviews
two competing draft Royal Charters. There will be a Royal Charter to establish
a regulator and two pieces of legislation - the Enterprise and Regulatory
Reform Act 2013 and the Crime and Courts Act 2013, which provides for the establishment
of a self-regulator.

The requirement to sign up
for self regulation has sparked some fear amongst bloggers, tweeters and
website publishers, because there could be costs penalties for ‘publishers’
defending a libel claim (even where there is a successful defence) if the court
holds that they should have signed up for regulation but have not.

Thankfully the legislation does
list a number of exclusions, such as ‘a person who publishes a title that
relates to a particular pastime, hobby, trade, business, industry or
profession, and only contains news-related material on an incidental basis that
is relevant to the main content of the title’ and publishers, such as
scientific journals, academic journals, public bodies, charities, company news
publications, book publishers and micro-businesses (those with fewer than 10
employees and an annual turnover not exceeding £2 million). However could the
outcome of such a wide exclusion be that the new legislation doesn’t really
have much bite? With almost anyone online (except a newspaper or dedicated news
outlet) falling outside of the scope of regulation, the new legislation most
definitely isn’t a means for policing the dissemination of news and gossip on
the wider internet.

I have been advising recently on a potential claim relating to “ownership” of data, where a company outsourced some of its administrative functions and now, due to a perfect storm of a poorly implemented subcontracting arrangement, and an insolvency, it now has no contractual right to obtain its data from the storage provider ultimately holding the data relating to the outsourced functions.

There are plenty of lessons to be learned from this scenario but for this post I’ll comment briefly on ”ownership” of data or information because last month, in an entirely unrelated data-related kerfuffle, the Technology and Construction Court refused an application made by Fairstar Heavy Transport to require an individual (its ex-CEO) and a cloud storage provider to hand over emails which had been forwarded to the ex-CEO’s service company’s email address, meaning that responses had not reached Fairstar’s servers. Worse for Fairstar, the forwarded emails were apparently automatically deleted from Fairstar’s servers. It was thought that the emails contained information important to Fairstar in respect of a different dispute involving a Chinese shipyard.

The application was made on the basis that Fairstar had a proprietary claim to “ownership” of the content of the emails – in other words, that Fairstar owned the content of the emails as property. Other legal issues prevented Fairstar from making other possible claims such as contractual “ownership” or an intellectual property claim – primarily that Fairstar was seeking to avoid enforcing the ex-CEO’s service contract for other reasons.

The judge dismissed the application after a review of the relevant case law, which he noted suggest strongly that in English law there is no general proprietary right in content or information. It’s a timely reminder that, despite increasingly expressed views that “the data belongs to X”, legal rights in data and information are less robust, and more complicated, than one might think. Various intellectual property rights may potentially exist in a data set, or an email exchange, depending on the circumstances, and the use of data or information provided by one party to another might be limited by contract – but don’t simply assume that “it’s our data”: it might not be that straightforward.

Hot on the heels of the Information Commissioner (see below), the European Commission has anounced a public consultation to collect views about how business and research know-how is protected across the EU (perhaps with one eye on a New Year's Resolution).

About time, some might say. As the Commission itself has noted, keeping vaulable information secret is often the only or most effective way that businesses have to protect their intellectual property - after all, not every good idea is patentable. The Commission has picked up concerns regarding the effectiveness of legal protection against the misuse of confidential information, which is currently only regulated at national level (without harmonisation across the EU), and decided to analyse the situation.

Changes to the laws on the protection of confidential information are likely to be highly relevant to the technology sector. You can follow, and contribute to, this consulation on the Europa website between now and 8 March 2013.